HUNTING ANDROID MALWARE A novel runtime technique for identifying malicious applications
WHOAMI @brompwnie
THANK YOU SensePost Heroku
OUTLINE The... Problem Question Idea PoC Results Conclusion
THE PROBLEM Android malware has and is a constant threat in the Android Ecosystem
THE QUESTION July 2017 at a conference...in Las Vegas...
THE QUESTION "How do I protect myself from these kind of attacks?" We have to look at the APK Statically In a sandbox
CURRENT TECHNIQUES We look at malware in a few ways Hashes Code Signatures Permissions Reputation Behavior
CURRENT DEFENCES Google Play Protect Google Playstore Third-party So ware Anti-virus MDM,MAM,MOM,MMM,...
FRUSTRATIONS Static Analysis is hard Can't run Cuckoo on my phone Scalability What if the application isn't on the App Store Bypassing AV is too easy
THE FRUSTRATION No reliable way to detect malware on devices
THE IDEA But there's HEAPS of data... Android apps make use of Objects Import statements are useful BUT You can import but not instantiate If it's instantiated,it's probably being used Instantiated objects have data(some)
/PROC//MAPS? /PROC//MEM? DUMP.HPROF?
THE IDEA Instrumentation Objects on the HEAP Trace calls and behaviour Recent Developments made it easier(for me) Great way to gain insight into applications Extremely Powerful Runtime is the best action https://www.frida.re/
THE IDEA Wouldn't it be cool if at runtime I could see: Which objects are instantiated What are the values for these objects
THE IDEA This would give me an idea as to WHAT an app is doing and HOW
THE IDEA For example, analysing an app with a meterpreter backdoor: Experience tells me to look for: DexClassLoader TCP Connection Which tells me that this app is Injecting code at runtime Communicating remotely
DEMO: BASIC MALWARE INFECTION
DEMO: BASIC RUNTIME MALWARE ANALYSIS
HOW DOES IT WORK WITH OTHER APPS?
STATIC VS RUNTIME What static analysis won't show Runtime Injection Class Loaders What if you don't have the injected JAR/APK /data/data/com.app.sandbox Java.Lang Runtime.exec("/bin/sh") No Import Statements Instantiated but kinda immutable
DEMO: WHAT STATIC CAN'T SHOW YOU
HEAPS OF LOVE Don't have to trawl code Identify specific anomalies
HEAPS OF FRUSTRATION java.lang.runtime Kind of immutable? exec("/system/bin/ps") Does not have much of a footprint
HEAPS OF FRUSTRATION Whats the plan? What is fundemental to objects? We can hook methods i.e Runtime.getRuntime().exec("/bin/sh") How? Overload with Frida Not just looking at object state Object behaviour
HEAPS OF FRUSTRATION Whats the plan?
DEMO: OVERLOAD 'DEM METHODS
SNAPSHOT We have the ability to: Analyse objects on the HEAP Hook methods for certain objects Perform this at runtime on a device See more than static analysis Perform the above from a workstation
A SOLUTION: SAFETYNET ATTESTATION API The SafetyNet Attestation API helps you assess the security and compatibility of the Android environments in which your apps run. You can use this API to analyze devices that have installed your app.
A SOLUTION: SAFETYNET ATTESTATION API
A SOLUTION: UITKYK You can use this API to analyze applications that are installed on a Android device Custom Android Frida Library DBUS over TCP Frida Server Integration Can run all the previously demo'd tests And more!
A SOLUTION: UITKYK API Hey Frida, give me running processes
A SOLUTION: UITKYK API Hey Android, give me running processes
A SOLUTION: UITKYK API Hey Frida, tell me if this application looks malicious
A SOLUTION: UITKYK API Hey Android, tell me if this application looks malicious
A SOLUTION: UITKYK API
WHY UITKYK API? No Android Frida Library Wanted to use Frida Wanted a Client Server Model Didn't want pain
HOW DOES UITKYK, UITKYK? TCP Socket to Daemon Push and Pull Bytes Sniffed Frida sessions Outlined TCP Flags Identified key bytes (trial and error) Stared at my monitor Wash,rinse,repeat
ORIGINAL PYTHON POC
DEMO: UITKYK
UITKYK Library github.com/brompwnie/uitkyk Blogpost/s brompwnie.github.io Frida Scripts github.com/brompwnie/uitkyk Videos https://goo.gl/k6bnbq
SHORTCOMINGS Increased Attack Surface Abuse(duh) We are still struggling to get basic security right
CONCLUSION It's a journey Uitkyk is a step in the right direction No Silver Bullet Defense In Depth Android OS is key to protecting itself
QUESTIONS?
DANKE!